[... snip ...]
Not neccesarily true. Remember that your usename is still an unknown = and as such brute force/dictionary type attacks for access are likely to = succeed quite quickly direct to superuser status, whereas if you have zero = root access via ssh and use sudo or allow su to root you will still have a = number of pitfalls for the would be attacker. eg. SSH login: user1 user1 has rights to su user2 but no admin rights or access to sudo user2 has rights to use sudo but also no admin rights sudo can be configured to allow for specific command sets only.
I think it's to complicated in real-world for daily use... and for most = cracks you can be very lucky if you have captured one local user = account. Then you can use e.g. local buffer overflows etc.
If you are local, then you have a user. Since access to such a user account implies that it's equivalent to root, these user accounts have = to be protected just the same way as root. I don't see any reason why to handle the level of protection differently
Think so, too. Protect every user at all costs... My solution would be: - use MD5 password's (good and long ones, so BruteForce would be = useless), use Kerberos or even better disable passwords - use only SSH protocoll type 2 (don't use type 1!!!) - create a DSA-Key (choose good passphrase) - put your public key on the server to the desired account - if you wish to... activate SSH-Agent (type your passphrase ones, be = happy for the day, even on X-Servers) - log in with your Key (password's will never pass the network) - if you wish to... activate Agent Forwarding and hop on different = servers without ever prompted for a password (so never transfered over = the network) Regards Jörg -- GMX - Die Kommunikationsplattform im Internet. http://www.gmx.net